CVE-2025-64459
published 2025-11-05CVE-2025-64459: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and…
PriorityP279critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
19.14%
97.0th percentile
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 0 < 4.2.26 | 4.2.26 |
| djangoproject | django | >= 4.2 < 4.2.26 | 4.2.26 |
| djangoproject | django | >= 5.0a1 < 5.1.14 | 5.1.14 |
| djangoproject | django | >= 5.1 < 5.1.14 | 5.1.14 |
| djangoproject | django | >= 5.2 < 5.2.8 | 5.2.8 |
| djangoproject | django | >= 5.2a1 < 5.2.8 | 5.2.8 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/users?
command_connector=OR
command_negated=True
commandis_superuser=True
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django Privilege Escalation via SQLi (CVE-2025-64459)"; flow:established,to_server; http.uri; content:"/api/users|3f|"; fast_pattern; content:"_negated|3d|True"; http.method; content:"GET"; reference:url,www.endorlabs.com/learn/critical-sql-injection-vulnerability-in-django-cve-2025-64459; reference:cve,2025-64459; classtype:web-application-attack; sid:2065701; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_07, cve CVE_2025_64459, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django Authentication Bypass via SQLi (CVE-2025-64459)"; flow:established,to_server; http.uri; content:"/api/users|3f|"; fast_pattern; content:"_connector|3d|OR"; content:"is_superuser|3d|True"; http.method; content:"GET"; reference:url,www.endorlabs.com/learn/critical-sql-injection-vulnerability-in-django-cve-2025-64459; reference:cve,2025-64459; classtype:web-application-attack; sid:2065699; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_07, cve CVE_2025_64459, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect HTTP GET requests to /api/users with _connector=OR and is_superuser=True query parameters — indicative of authentication bypass via SQLi (ET sid:2065699)
- →Detect HTTP GET requests to /api/users with _negated=True query parameter — indicative of privilege escalation via SQLi (ET sid:2065701)
- →The exploit POC sends a POST request with a 'search' field containing the injected _connector value; monitor for POST bodies containing SQL operator strings (OR 1=1 OR, AND 1=0 AND, OR 'a'='a' OR) in the search parameter ↗
- →The vulnerability is triggered via dictionary expansion as the _connector argument to QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), or Q(); audit application code for user-controlled input reaching these Django ORM methods ↗
- ·The Snort/ET rules use TLSDecrypt metadata — they will only fire on decrypted TLS traffic; deploy with SSL inspection (SSLDecrypt) enabled for full coverage
- ·The ET rules target the specific URI pattern /api/users?; applications exposing the vulnerable QuerySet methods at different endpoints will not be detected by these rules without customisation
- ·The PoC exploit requires the target application to expose executed SQL in its response (e.g., via debug mode or custom template) for result parsing; real-world exploitation does not require this ↗
- ·Earlier, unsupported Django series (5.0.x, 4.1.x, 3.2.x) were not evaluated and may also be affected; detection and patching scope should not be limited to the three confirmed version ranges ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-64459: An issue was discovered in 5
osv·2025-11-05·CVSS 9.1
CVE-2025-64459 [CRITICAL] CVE-2025-64459: An issue was discovered in 5
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
OSV
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
osv·2025-11-05
CVE-2025-64459 [CRITICAL] Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
GHSA
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
ghsa·2025-11-05
CVE-2025-64459 [CRITICAL] CWE-89 Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2025-11-05
CVE-2025-64459 Django vulnerabilities
Title: Django vulnerabilities
Summary: Django could be made to run programs if it received specially crafted
network traffic.
It was discovered that Django incorrectly handled certain characters in
queries. An attacker could possibly use this issue to execute arbitrary SQL
commands.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
django: Django SQL injection
vendor_redhat·2025-11-05·CVSS 9.1
CVE-2025-64459 [CRITICAL] CWE-89 django: Django SQL injection
django: Django SQL injection
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
A potential SQL injection vulnerability has been discovered in the Django web framework. The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as
Debian
CVE-2025-64459: python-django - An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before ...
vendor_debian·2025·CVSS 9.1
CVE-2025-64459 [CRITICAL] CVE-2025-64459: python-django - An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before ...
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u10)
forky: resolved (fixed in 3:4.2.26-1)
sid: resolved (fixed in 3:4.2.26-1)
trixie: resolved (fixed in 3:4.2.27-0+deb13u1)
Suricata
ET WEB_SPECIFIC_APPS Django Privilege Escalation via SQLi (CVE-2025-64459)
suricata·2025-11-07·CVSS 9.1
CVE-2025-64459 [CRITICAL] ET WEB_SPECIFIC_APPS Django Privilege Escalation via SQLi (CVE-2025-64459)
ET WEB_SPECIFIC_APPS Django Privilege Escalation via SQLi (CVE-2025-64459)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django Privilege Escalation via SQLi (CVE-2025-64459)"; flow:established,to_server; http.uri; content:"/api/users|3f|"; fast_pattern; content:"_negated|3d|True"; http.method; content:"GET"; reference:url,www.endorlabs.com/learn/critical-sql-injection-vulnerability-in-django-cve-2025-64459; reference:cve,2025-64459; classtype:web-application-attack; sid:2065701; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_07, cve CVE_2025_64459, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_1
Suricata
ET WEB_SPECIFIC_APPS Django Authentication Bypass via SQLi (CVE-2025-64459)
suricata·2025-11-07·CVSS 9.1
CVE-2025-64459 [CRITICAL] ET WEB_SPECIFIC_APPS Django Authentication Bypass via SQLi (CVE-2025-64459)
ET WEB_SPECIFIC_APPS Django Authentication Bypass via SQLi (CVE-2025-64459)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django Authentication Bypass via SQLi (CVE-2025-64459)"; flow:established,to_server; http.uri; content:"/api/users|3f|"; fast_pattern; content:"_connector|3d|OR"; content:"is_superuser|3d|True"; http.method; content:"GET"; reference:url,www.endorlabs.com/learn/critical-sql-injection-vulnerability-in-django-cve-2025-64459; reference:cve,2025-64459; classtype:web-application-attack; sid:2065699; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_07, cve CVE_2025_64459, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nex
Suricata
ET WEB_SPECIFIC_APPS Django Data Exfiltration via SQLi (CVE-2025-64459)
suricata·2025-11-07·CVSS 9.1
CVE-2025-64459 [CRITICAL] ET WEB_SPECIFIC_APPS Django Data Exfiltration via SQLi (CVE-2025-64459)
ET WEB_SPECIFIC_APPS Django Data Exfiltration via SQLi (CVE-2025-64459)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django Data Exfiltration via SQLi (CVE-2025-64459)"; flow:established,to_server; http.uri; content:"/api/users|3f|"; fast_pattern; content:"_connector|3d|OR"; content:"confidential|3d|True"; http.method; content:"GET"; reference:url,www.endorlabs.com/learn/critical-sql-injection-vulnerability-in-django-cve-2025-64459; reference:cve,2025-64459; classtype:web-application-attack; sid:2065700; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_07, cve CVE_2025_64459, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoin
No writeups or analysis indexed.
2025-11-05
Published